'Re: [mod-security-users] Has anyone ever used multiMatch?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mod-security-users
Subject:    Re: [mod-security-users] Has anyone ever used multiMatch?
From:       Brian Rectanus <Brian.Rectanus () breach ! com>
Date:       2009-09-04 15:55:51
Message-ID: 4AA13887.8090007 () breach ! com
[Download RAW message or body]

Depends on what you intended.  What you seem to have intended is to 
apply the 3 decoding functions in parallel, but what will happen is that 
it will be done in the order that you have specified, progressively. 
This can cause things to be decoded more than once that were not 
intended to be.

Lets look at an innocent example.  You have a parameter that contains 
this value that is CSS encoded ("\5c " is a "\"):

c:\5c films\5c actors\5c 007

You probably intend that to be decoded as:

c:\films\actors\007

But this is how it was actually decoded:

[5] Adding request argument (QUERY_STRING): name "test", value "c:\\5c 
films\\5c actors\\5c 007"
[5] Rule aae8e0: SecRule "ARGS" "@rx \\x07" 
"phase:2,log,auditlog,deny,t:none,t:htmlEntityDecode,t:cssDecode,t:jsDecode" 

[9] CACHE: Disabled - ARGS:test value length=28, smaller than minlen=32
[9] T (0) htmlEntityDecode: "c:\\5c films\\5c actors\\5c 007"
[9] T (0) cssDecode: "c:\\films\\actors\\007"

So far so good, but then the JS decoding...

[9] T (0) jsDecode: "c:\x0cilms\x07ctors\x07"

Oops!  And now a false positive match against hex value 07:

[4] Executing operator "rx" with param "\\x07" against ARGS:test.
[9] Target value: "c:\x0cilms\x07ctors\x07"
[4] Operator completed in 30 usec.
[4] Rule returned 1.
[9] Match, intercepted -> returning.

So, no, you cannot do that ;)

-B

Nick Gearls wrote:
> What's the exact problem of using only
> t:none,t:htmlEntityDecode,t:cssDecode,t:jsDecode
> 
> Do you see a possibility of missing an attack, or getting a false positive?
> 
> Nick
> 
> 
> Ivan Ristic wrote:
> > To respond to my own email, I've never used multiMatch. I did
> > encounter a situation where multiMatch would be useful, but it didn't
> > quite do what I needed. As an example, below is an extract from some
> > work that I never finished (it might have gone into the new Core
> > Rules, though).
> > 
> > ------------------------
> > # Do not allow control characters apart from horizontal tab (9/0x09),
> > # line feed (10/0x0a) and carriage return (13/0x10).
> > #
> > # Ref: http://en.wikipedia.org/wiki/Control_character
> > # Ref: http://www.w3.org/MarkUp/html3/specialchars.html
> > #
> > SecRule ARGS "@validateByteRange 9,10,13,32-255" \
> > t:none
> > 
> > # Verify for invalid bytes in HTML content.
> > #
> > SecRule ARGS "@validateByteRange 9,10,13,32-255" \
> > t:none,t:htmlEntityDecode
> > 
> > # Verify for invalid bytes in JavaScript context.
> > #
> > SecRule ARGS "@validateByteRange 9,10,13,32-255" \
> > t:none,t:htmlEntityDecode,t:jsDecode
> > 
> > # Verify for invalid bytes in CSS context.
> > #
> > SecRule ARGS "@validateByteRange 9,10,13,32-255" \
> > t:none,t:htmlEntityDecode,t:cssDecode
> > 
> > # TODO The above could be combined into one, really.
> > ------------------------
> > 
> > Three of the above rules could be combined into one using multiMatch,
> > but not all of them since there's a branch in the logic.
> > 
> > 
> > 
> > On Fri, Aug 21, 2009 at 3:46 PM, Ivan Ristic<ivan.ristic@gmail.com>  wrote:
> > > I am really curious, has anyone ever used (or even thought about
> > > using) the multiMatch action?
> > > 
> > > http://www.modsecurity.org/documentation/modsecurity-apache/2.5.9/modsecurity2-apache-reference.html#N1182A
> > >  
> > > --
> > > Ivan Ristic
> > > Security assessment of your SSL servers
> > > https://www.ssllabs.com/ssldb/
> 
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html

-- 
Brian Rectanus
Breach Security

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic